Cloud Computing
What is cloud computing?
Model Description What it does Examples
SAAS Software as a service Applications often available through a browser Workday, Salesforce.com
PAAS Platform as a service Platform to allow customer to develop applications Microsoft AZURE
IAAS Infrastructure as a
service
Servers, networks for clients to store data on – replaces your data center
What is cloud computing?
• Most common uses
Web hosting
76%
Email hosting
57%
Cloud storage and file sharing 48%
What does that mean for audit?
Bad news
You don’t know where the
What does that mean for audit?
Bad news
You don’t know where the
computers are, what is on them or
what they do
What does that mean for audit?
Bad news
You don’t know where the
computers are, what is on them or
what they do”
Worse news
You aren’t allowed to check them
Worst of all
The top 4 commissioning
departments are IT, Marketing,
Sales and HR
Marketing (45%), Sales (43%) and Human Resources (40%) are the three most common departments funding cloud initiatives outside of IT.
What does that mean for audit - consequences
If you don’t know where the computers are,
what is on them or what they do…
What does that mean for audit - consequences
If you aren’t allowed to check them…
What does that mean for audit - consequences
If the business is using the cloud for “business
reasons”…
… how do I audit what I used to be able to audit?
Depends on the service
SAAS Application functionality only
PAAS All application based controls
IAAS
All system based controls including
operating systems and databases
• Check contract
• Contact supplier
… how do I audit what I used to be able to audit?
Clarify what elements you want to review
• Application – Functionality
– Segregation of duties – Field validation
– Logical access controls – Patching and version – Disaster recovery • Operating system
– Logical access controls – Hardening standards – Patching
… how do I audit what I used to be able to audit?
Clarify what elements you want to review
• Database
– Logical access controls – Hardening standards – Patching and versions – Admin access
• Physical security – Access
… how do I audit what I used to be able to audit?
If we can:
1. Audit the application
2. Get the right to audit in the
contract
3. Persuade the supplier to
allow us to audit
…
how do I audit the cloud technology deployed
?
…
how do I audit the cloud technology deployed
?
…
how do I audit the cloud technology deployed
?
Virtualization
• We are deploying VMware or equivalent
technology so how does it work?
This is a technical audit…
…and you may not be allowed to do it.
• And what exactly are we sharing anyway?
Check Virtualization operating systems are
…
how do I audit the cloud technology deployed
?
The cloud has unique features:
1. Virtualization
…
how do I audit the cloud technology deployed
?
Infrastructure
• Can your infrastructure take it? • Bandwidth to cloud?
• Network secure?
…
how do I audit the cloud technology deployed
?
The cloud has unique features:
1. Virtualization 2. Infrastructure
…
how do I audit the cloud technology deployed
?
Authentication • VPNs?
…
how do I audit the cloud technology deployed
?
The cloud has unique features:
1. virtualization 2. Infrastructure 3. Authentication
…
how do I audit the cloud technology deployed
?
Performance
• Issue management
• We are sharing, so our issues could be lost • How does help desk change?
• System
…
how do I audit the cloud technology deployed
?
The cloud has unique features:
1. virtualization 2. Infrastructure 3. Authentication 4. Performance
…
how do I audit the cloud technology deployed
?
Legal
• Data protection • Jurisdiction
Where is the data exactly? • Encryption
Where is it encrypted – at rest, in transit? Backups?
• Data transferability – can I move my data • Legal and Electronic Discovery
Can we fulfil legal requirements? • Contract
…
how do I audit the cloud technology deployed
?
The cloud has unique features:
1. virtualization 2. Infrastructure 3. Authentication 4. Performance 5. Legal
…
how do I audit the business benefits
?
…
how do I audit the business benefits
?
Why audit the benefits?
…
how do I audit the business benefits
?
Why audit the benefits?
Benefits claimed %
Simplified internal operations 37
Better delivery of internal resources 33
New ways for employees to work 31
Faster rollout of new business initiatives 23
…
how do I audit the business benefits
?
Why audit the benefits?
Benefits not claimed %
Simplified internal operations 63
Better delivery of internal resources 67
New ways for employees to work 69
Faster rollout of new business initiatives 77
…
how do I audit the business benefits
?
What does the business say the benefits are?
1. Value for money from reduced costs / Capex 2. Implementation speed
Agility leads to being able to do things like enter new markets, improved productivity and improved responsiveness to
customers
3. Replacing legacy systems so improved capability 4. Enabling business continuity
5. Improved customer support
Focussed on core business
6. Flexibility and scalability
Easily deploy your application around the world
…
how do I audit the business benefits
?
What does the business REALLY THINK the benefits are?
…
how do I audit the business benefits
?
What does the business REALLY THINK the benefits are?
Value for money Cheap
…
how do I audit the business benefits
?
What does the business REALLY THINK the benefits are?
Value for money Cheap
Implementation speed Don’t need IT interfering
…
how do I audit the business benefits
?
What does the business REALLY THINK the benefits are?
Value for money Cheap
Implementation speed Don’t need IT interfering
Replacing legacy systems Gets rid of old stuff
…
how do I audit the business benefits
?
What does the business REALLY THINK the benefits are?
Value for money Cheap
Implementation speed Don’t need IT interfering
Replacing legacy systems Gets rid of old stuff
Enabling business continuity No need for this now
…
how do I audit the business benefits
?
What does the business REALLY THINK the benefits are?
Value for money Cheap
Implementation speed Don’t need IT interfering
Replacing legacy systems Gets rid of old stuff
Enabling business continuity No need for this now
Improved customer support Gets rid of systems we don’t like dealing with.
…
how do I audit the business benefits
?
What does the business REALLY THINK the benefits are?
Value for money Cheap
Implementation speed Don’t need IT interfering
Replacing legacy systems Gets rid of old stuff
Enabling business continuity No need for this now
Improved customer support Gets rid of systems we don’t like dealing with.
Flexibility and scalability We can increase the size of storage without thinking about the cost or even why we are doing it.
…
how do I audit the business benefits
?
How to audit the benefits and stay relevant
Value for money What are the true costs
• Licences
• Operating costs • CAPEX
• Training
• Cost savings
…
how do I audit the business benefits
?
How to audit the benefits and stay relevant
Implementation speed How long did it take them to
implement?
• Initial project
• Subsequent implementations • Change requests
…
how do I audit the business benefits
?
How to audit the benefits and stay relevant
…
how do I audit the business benefits
?
How to audit the benefits and stay relevant
Enabling BC Did they set up new business continuity plans?
Can they cope with:
DDoS
…
how do I audit the business benefits
?
How to audit the benefits and stay relevant
…
how do I audit the business benefits
?
How to audit the benefits and stay relevant
Flexibility/ Scalability What have they changed?
Integration and interfaces Up-scaling costs
Flexibility usage
…
how do I audit the business benefits
?
How to audit the benefits and stay relevant
Innovation What innovation?
Fundamental changes to processes Functionality
In Summary
1. Focus on why you adopted the cloud
2. Understand key management concerns
3. Emphasis is on security, ROI and delivery against contract
4. Don’t rely on certification
5. Alarm bells
4th party cloud solutions
Rogue departments
The Speaker
Robert Findlay
Global Head of IT Audit Glanbia plc.
